Researchers at the University of Texas San Antonio have published a review of the security and privacy risks posed by e-scooters and their related software services and applications.
We were already investigating the risks posed by these micromobility vehicles to pedestrians’ safety. During that study, we also realized that besides significant safety concerns, this new transportation paradigm brings forth new cybersecurity and privacy risks as well.—Murtuza Jadliwala, an assistant professor in the Department of Computer Science, who led this study
According to the review, which will appear in the proceedings of the 2nd ACM Workshop on Automotive and Aerial Vehicle Security (AutoSec 2020), hackers can cause a series of attacks, including eavesdropping on users and even spoof GPS systems to direct riders to unintended locations. Vendors of e-scooters can suffer denial-of-service attacks and data leaks.
E-scooter ecosystem and attack points. Vinayaga-Sureshkanth et al.
Micromobility vehicles are gaining popularity due to their portable nature, and their ability to serve short distance urban commutes better than traditional modes of transportation. Most of these vehicles, offered by various micromobility service providers around the world, are shareable and can be rented (by-the-minute) by riders, thus eliminating the need of owning and maintaining a personal vehicle. However, the existing micromobility ecosystem comprising of vehicles, service providers, and their users, can be exploited as an attack surface by malicious entities—to compromise its security, safety and privacy.—Vinayaga-Sureshkanth et al.
Those who sign up to use e-scooters also offer up a great deal of personal and sensitive data beyond just billing information. According to the study, providers automatically collect other analytics, such as location and individual vehicle information. This data can be pieced together to generate an individual profile that can even include a rider’s preferred route, personal interests, and home and work locations.
Potential attacks identified include:
Physical damage, including the theft of brake wires and batteries, or theft of the scooter. An attacker can target the e-scooter battery, circumvent native security mechanisms by draining it, the install malicious modules, and remove or replace key components, before placing it back in service. This could allow the remote control of the e-scooter or the covert gathering of data.
Eavesdropping. Some e-scooter models communicate with the rider’s smartphone over a Bluetooth Low Energy channel. Someone with malicious intent could eavesdrop on these wireless channels and listen to data exchanges between the scooter and riders’ smartphone app by means of easily and cheaply accessible hardware and software tools such as Ubertooth and WireShark.
Man-in-the-Middle (MITM) and Replay Attacks. With sufficient knowledge obtained from the eavesdropping attack, an attacker can modify commands or drop data communication between a rider smartphone and an e-scooter. BLE vulnerabilities have allowed researchers to perform MITM attacks on the Xiaomi M365 e-scooter.
Denial-of-Service. This type of attack has the ability to disrupt any service such as locking and unlocking the e-scooter, etc. (often rendering them inaccessible) and can be targeted towards the e-scooter exhausting its resources, or towards the service providers affecting their quality of service.
Spoofing. Micromobility applications track the location of the e-scooter using the inbuilt GNSS module on board the e-scooter or using the rider’s smartphone or both. An attacker can target either option. In the first approach, the rider can install any location-spoofing applications (available on the Internet) on the smartphone to fake their location. After installation, the rider can easily trick the micromobility application and the service provider. In the second approach, the attacker can manipulate or replay GPS signal using SDR hardware (HackRF, USRP, BladeRF, etc.) which can produce and broadcast forged GPS signals to the victim receiver. It is also possible for an attacker to capture a GPS signal from a different location and rebroadcast it to the victim receiver (replay attack). The latter approaches can trick both the GNSS modules on the smartphone (solely reliant on GPS for location) and the e-scooter.
Fuzzing. This attack gives the attacker the ability to gauge how each service provider ecosystem handles the e-scooters from the responses, from the API and other control systems, obtained after testing with request or command variants with the intent to identify bugs or vulnerabilities (not found through passive eavesdropping).
User Data Sharing and Inference. User data in this micromobility platform can range from any smartphone-related activity to a history of locations the rider has visited for any period of time.
This study was produced in UTSA’s Security, Privacy, Trust and Ethics in Computing Lab, which was also behind the recent publication on how smart bulbs can be hacked. The lab is dedicated to examining privacy and security issues in ubiquitous devices.
Nisha Vinayaga-Sureshkanth, Raveen Wijewickrama, Anindya Maiti, Murtuza Jadliwala (2020) “Security and Privacy Challenges in Upcoming Intelligent Urban Micromobility Transportation Systems.” In Proceedings of The 2nd ACM Workshop on Automotive and Aerial Vehicle Security (AutoSec’20). arXiv preprint arXiv:2001.01387